test content
What is the Arc Client?
Install Arc

No wonder accounts are being TRIBBLE....

sneyepersneyeper Member Posts: 217 Arc User
With all the reports in these forums of accounts being TRIBBLE, I decided it would be a good time to change my account password. There are some major problems here - and it is no wonder accounts are being TRIBBLE. Here is what I had to do....

Starting at the STO forum main page at

http://sto-forum.perfectworld.com/

I click the link for "My Account" at the top. This takes me to the page:

https://my.perfectworld.com/sto/?going_to=/account/sto

This is a secure login page - https. Once logged in, the link to change the password is prominently displayed. Clicking that, I could enter my old password and a new password. I was then informed a verification email was sent to my address. I waited and waited and waited............. I never got an email. I tried over the course of several days and multiple attempts and never got a verification email (and yes - the right email address was labeled). So this password change attempt failed.

So trying something different, starting again at the STO forum main page, I pressed the "Support" link at the top. This took me to the page:

https://support.perfectworld.com/

At the top of this page, I pressed the "My Account" link which took me to the page:

http://www.perfectworld.com/login

Upon logging in, I went through the same process to change my password as before ... and it worked the first time.

So great right? No! Notice that last login link - it is "http". This means that any information sent to the login page is unencrypted. This means that in order for me to successfully change my password, I had to broadcast my login name and password in plaintext to the internet.

No wonder accounts are being TRIBBLE..... Bad Bad Cryptic :mad:
Post edited by sneyeper on
«1

Comments

  • thecosmic1thecosmic1 Member Posts: 9,365 Arc User
    edited May 2013
    Check your spam filters, and make sure you're going to the right email. I've posted in several threads about this over the last few weeks and no one in any of those threads ever waited more then 25 minutes for the verification email to arrive. If it didn't come it's an issue on your end. No one in those threads has every needed to go directly to the PWE sight to make it work.
    STO is about my Liberated Borg Federation Captain with his Breen 1st Officer, Jem'Hadar Tactical Officer, Liberated Borg Engineering Officer, Android Ops Officer, Photonic Science Officer, Gorn Science Officer, and Reman Medical Officer jumping into their Jem'Hadar Carrier and flying off to do missions for the new Romulan Empire. But for some players allowing a T5 Connie to be used breaks the canon in the game.
  • strorusstrorus Member Posts: 328 Arc User
    edited May 2013
    Cryptic care to comment on this?
  • sneyepersneyeper Member Posts: 217 Arc User
    edited May 2013
    thecosmic1 wrote: »
    Check your spam filters, and make sure you're going to the right email. I've posted in several threads about this over the last few weeks and no one in any of those threads ever waited more then 25 minutes for the verification email to arrive. If it didn't come it's an issue on your end.

    Spam filters - check. Right email - check. In this process of changing my password, I read your posts - I waited for an hour on multiple occasions over the course of several days. If it were a problem on my end, it is unlikely I would have gotten the mail from either method. Even if I am wrong about that, having an unencrypted login page is unacceptable.
  • empireofsteveempireofsteve Member Posts: 665 Arc User
    edited May 2013
    I am pretty sure that that is PWE, not Cryptic.
    NERF CANNONS - THEY NEED A 50% NERF
    CRUISERS NEED A 206% HULL BUFF
  • pyryckpyryck Member Posts: 6 Arc User
    edited May 2013
    Why in the bloody heck are you guys asking Cryptic to answer for something their BOSS - PW/PWE does?

    Come on folks, at least TRY to think logically. :(
  • sneyepersneyeper Member Posts: 217 Arc User
    edited May 2013
    pyryck wrote: »
    Why in the bloody heck are you guys asking Cryptic to answer for something their BOSS - PW/PWE does?

    Come on folks, at least TRY to think logically. :(

    PWE's security problems are a liability for Cryptic's security. Cryptic should be concerned.
  • p41nm4k3rp41nm4k3r Member Posts: 3
    edited May 2013
    Try the launcher, it's an IE window which does exactly the same thing.
  • sirokksirokk Member Posts: 990 Arc User
    edited May 2013
    Although there is really no excuse for ALL websites to not be using SSL/TLS by default for ALL content since one certificate can cover all the systems and turning-on SSL on the webservers is little more than making sure hrefs include either HTTPS or relative links in their URLs and then clicking a check box.

    But it's not as bad as you think though, for someone to see your content (messages, username, passwords, anything sent/received, etc) they would have to be physically in-line with you and the host, PWE/Cryptic in this case. Because the network switches and routers (even modern home wireless routers) do not broadcast the data to all the nodes on a network - the data is routed directly to the host you are communicating with.

    Most likely either people are sharing their passwords or key-loggers are installed on their systems. Besides a properly configured and implemented two-factor authentication system, unique passwords for all accounts and up-to-date antivirus software that is capable of detecting keyloggers, there is no technological solution that can prevent a password being used if it is willingly given (edit: or leaked) to someone else.

    Along with the recommendations from PWE/Cryptic has given...

    DO NOT share your passwords with ANYONE.

    Use strong passwords - long, uncommon words with symbols and numbers.

    Use DIFFERENT PASSWORDS for each of your accounts - yes it's a pain but it's a must - Try LastPass.com to make manage your passwords that are strong and unique.

    Use antivirus software capable of detecting keyloggers and make sure it is UP TO DATE.

    To reduce opportunities of getting malware (worms, viruses and keyloggers) on your gaming rig, try either using a different computer or setup dual-booting your system to have a "general use operating system" and a "gaming operating system". This would help keep your "gaming " setup cleaner for better optimized game play. (edit: ...and only use the "gaming" operating system to game and not browse, etc.)
    Star Trek Battles Channel - Play Star Trek like they did in the series!Avatar: pinterest-com/pin/14003448816884219Are you sure it isn't time for a "colorful metaphor"? --Spock in 'The Voyage Home'
    SCE ADVISORY NOTICE: Improper Impulse Engine maintenance can result in REAR THRUSTER LEAKAGE. ALWAYS have your work inspected by another qualified officer.
  • sosolidshoesosolidshoe Member Posts: 174 Arc User
    edited May 2013
    Step 1 - download Firefox.
    Step 2 - download HTTPS Everywhere and HTTPS Finder.
    Step 3 - ????
    Step 4 - Profit.

    Get Ghostery while you're at it if you've not already, same goes for NoScript and Flashblock.

    We are PWE. Your forums and game accounts will be added to our own. Your community will adapt to service us. Resistance is futile.
  • anazondaanazonda Member Posts: 8,399 Arc User
    edited May 2013
    Of cause there is the fact that password and username are sent as Clear Test, witch makes them easily interceptable...

    And since the connection dosen't use SSL... well..
    Don't look silly... Don't call it the "Z-Store/Zen Store"...
    Let me put the rumors to rest: it's definitely still the C-Store (Cryptic Store) It just takes ZEN.
    Like Duty Officers? Support effords to gather ideas
  • charliescot25charliescot25 Member Posts: 269 Arc User
    edited May 2013
    This is becoming more alarming for loads of people. It's such a shame when People come to Star Trek online to have fun, not knowing their account has been TRIBBLE. No one should have to feel scared to login nowadays. As people suggested; Change password and make a complex secured one.

    Don't use the same password from your other stuff.
    [SIGPIC]USSDundee_zpsfcfe716b.jpg[/SIGPIC]
  • sollvaxsollvax Member Posts: 4 Arc User
    edited May 2013
    If you visit the websites kif Gold sellers you WILL be TRIBBLE/scammed/Robbed

    so don't
    Live long and Prosper
  • artanisenartanisen Member Posts: 431 Arc User
    edited May 2013
    I thought the account guard was suppose to prevent this sorta thing.
    even if they have your info they shouldnt be able to get on the account.


    looks like someones getting fired
  • thecosmic1thecosmic1 Member Posts: 9,365 Arc User
    edited May 2013
    artanisen wrote: »
    I thought the account guard was suppose to prevent this sorta thing.
    even if they have your info they shouldnt be able to get on the account.


    looks like someones getting fired
    If someone goes into your game and it's not you, you'll get an email. If someone changes your email address in your My Account page, you'll get an email. Unfortunately if you signed up with a throw-away email account, or an email account you only check once a year, the notification is useless.
    STO is about my Liberated Borg Federation Captain with his Breen 1st Officer, Jem'Hadar Tactical Officer, Liberated Borg Engineering Officer, Android Ops Officer, Photonic Science Officer, Gorn Science Officer, and Reman Medical Officer jumping into their Jem'Hadar Carrier and flying off to do missions for the new Romulan Empire. But for some players allowing a T5 Connie to be used breaks the canon in the game.
  • p41nm4k3rp41nm4k3r Member Posts: 3
    edited May 2013
    It only notifies you, it doesn't ask for confirmation for some idiotic reason.

    The way it's set up right now renders the account guard completely useless, it just gets in the way for the players.
  • artanisenartanisen Member Posts: 431 Arc User
    edited May 2013
    i did a quick look at the my account and support and never really payed attention before. 2 different "my account" pages for STO..

    lol when there should only be one.
  • szioulszioul Member Posts: 34 Arc User
    edited May 2013
    And why on Earth are they arbitrarily limiting the maximum password length?
  • sneyepersneyeper Member Posts: 217 Arc User
    edited May 2013
    artanisen wrote: »
    I thought the account guard was suppose to prevent this sorta thing.
    even if they have your info they shouldnt be able to get on the account.

    A lot of people tend to use the same password everywhere. So if you send your password to this website in plain text (when quoting this post I was sent the unsecure login page), and someone obtains that all they need to do follows:

    1. Login to your PWE/Cryptic account
    2. Check for the email used for the account
    3. Now they have your email address and compromised password - so they login to your email and either take it over, or simply use the confirmation emails sent to that email account.
    4. They change your PWE/Cryptic account settings and validate it with your now TRIBBLE email.

    Account guard won't protect you here, and it would entirely be PWE/Cryptic's fault for not having an encrypted login page. Not a lot you can do except have different passwords for PWE/Cryptic and your email.
  • edited May 2013
    This content has been removed.
  • bpharmabpharma Member Posts: 2,022
    edited May 2013
    If someone wants to hack you and your account they can and will do it, it might not be easy and it might take a while but if someone really wanted to do it they could. Having said that why would they? No offense but most people in this game don't have anything worth grabbing and unless you're being one massive **** to the wrong people they don't care.

    The reason accounts get TRIBBLE is the player shares their information either voluntarily or involuntarily and in most cases it is the players fault. Every time I've bumped into account guard it's been just a quick enter code and bam done. It's also always come through to my e-mail address just fine. Unless you're using a very obscure e-mail provider or have previously marked things from PWE as spam then it should get through to you. Once again, it's you that is the weak link not Cryptic.

    The people who get TRIBBLE are targets of opportunity, they're not being TRIBBLE for valuable items, they're not being targeted specifically, they just have poorly protected accounts/computers. Should the PWE site be secure? Yes, but you shouldn't have any need to use it anyway.

    Also OP, you're smart enough to notice it was an unsecured site you were changing your password on and did it anyway? Bad bad computer wizz.

    It is through repetition that we learn our weakness.
    A master with a stone is better than a novice with a sword.

    Has damage got out of control?
    This is the last thing I will post.
  • bpharmabpharma Member Posts: 2,022
    edited May 2013
    sneyeper wrote: »
    A lot of people tend to use the same password everywhere. So if you send your password to this website in plain text (when quoting this post I was sent the unsecure login page), and someone obtains that all they need to do follows:

    1. Login to your PWE/Cryptic account
    2. Check for the email used for the account
    3. Now they have your email address and compromised password - so they login to your email and either take it over, or simply use the confirmation emails sent to that email account.
    4. They change your PWE/Cryptic account settings and validate it with your now TRIBBLE email.

    Account guard won't protect you here, and it would entirely be PWE/Cryptic's fault for not having an encrypted login page. Not a lot you can do except have different passwords for PWE/Cryptic and your email.

    I'm sorry but it's not PWE/Cryptics fault if your other stuff gets TRIBBLE in that instance. It is your fault for making all your passwords the same. You wouldn't use the same key for 10 different houses would you?

    It is through repetition that we learn our weakness.
    A master with a stone is better than a novice with a sword.

    Has damage got out of control?
    This is the last thing I will post.
  • gfreeman98gfreeman98 Member Posts: 1,201 Arc User
    edited May 2013
    sneyeper wrote: »
    This means that in order for me to successfully change my password, I had to broadcast my login name and password in plaintext to the internet.
    Your concern is completely valid, but just a little clarification:

    Your password is not "broadcast" to the Internet, the communication is between you and the perfectworld.com web server. The only people that can intercept this traffic are those that share your network connection within your house*, those that share your network connection with your ISP**, and any entities that may be tapped into the ISP or any of the WAN links along the route between it and perfectworld.com; e.g. NSA and DHS. This is why plaintext authentication is insecure.

    * This is especially an issue if your PC is using wireless. WiFi traffic is easy to sniff by anyone in proximity to your access point. Multiply the risk if you live in something like an apartment where everyone is close together.

    ** It's bad if you're on Cable, since you share your bandwidth with everyone else on Cable in your neighborhood. (This is not an issue with DSL since your connection is point-to-point.)
    screenshot_2015-03-01-resize4.png
  • artanisenartanisen Member Posts: 431 Arc User
    edited May 2013
    bpharma wrote: »
    I'm sorry but it's not PWE/Cryptics fault if your other stuff gets TRIBBLE in that instance. It is your fault for making all your passwords the same. You wouldn't use the same key for 10 different houses would you?

    actually it is, there responsible for account safety and security...

    if no one feels safe.. well dont really need to go into details on that.

    and its more like having a safety deposit box in someone else's building,
    using the same key for other safety deposit boxes.
  • p41nm4k3rp41nm4k3r Member Posts: 3
    edited May 2013
    bpharma wrote: »
    If someone wants to hack you and your account they can and will do it, it might not be easy and it might take a while but if someone really wanted to do it they could. Having said that why would they? No offense but most people in this game don't have anything worth grabbing and unless you're being one massive **** to the wrong people they don't care.

    The reason accounts get TRIBBLE is the player shares their information either voluntarily or involuntarily and in most cases it is the players fault. Every time I've bumped into account guard it's been just a quick enter code and bam done. It's also always come through to my e-mail address just fine. Unless you're using a very obscure e-mail provider or have previously marked things from PWE as spam then it should get through to you. Once again, it's you that is the weak link not Cryptic.

    The people who get TRIBBLE are targets of opportunity, they're not being TRIBBLE for valuable items, they're not being targeted specifically, they just have poorly protected accounts/computers. Should the PWE site be secure? Yes, but you shouldn't have any need to use it anyway.

    Also OP, you're smart enough to notice it was an unsecured site you were changing your password on and did it anyway? Bad bad computer wizz.

    Account guard does not guard your account.

    It doesn't ask for confirmation from the old email address to change to a new one.

    It gives you 10 seconds at most, while they verify the new address and boom, it's theirs.
  • sirokksirokk Member Posts: 990 Arc User
    edited May 2013
    Step 1 - download Firefox.
    Step 2 - download HTTPS Everywhere and HTTPS Finder.
    Step 3 - ????
    Step 4 - Profit.

    Get Ghostery while you're at it if you've not already, same goes for NoScript and Flashblock.

    It takes more than this to start being secure.

    More directly to what is mentioned, HTTPS Finder and HTTPS Everywhere do not help if SSL (HTTPS addresses) are not being offered by the site.
    Star Trek Battles Channel - Play Star Trek like they did in the series!Avatar: pinterest-com/pin/14003448816884219Are you sure it isn't time for a "colorful metaphor"? --Spock in 'The Voyage Home'
    SCE ADVISORY NOTICE: Improper Impulse Engine maintenance can result in REAR THRUSTER LEAKAGE. ALWAYS have your work inspected by another qualified officer.
  • tehburnsteptehburnstep Member Posts: 71 Arc User
    edited May 2013
    bpharma wrote: »
    If someone wants to hack you and your account they can and will do it, it might not be easy and it might take a while but if someone really wanted to do it they could. Having said that why would they? No offense but most people in this game don't have anything worth grabbing and unless you're being one massive **** to the wrong people they don't care.

    The reason accounts get TRIBBLE is the player shares their information either voluntarily or involuntarily and in most cases it is the players fault. Every time I've bumped into account guard it's been just a quick enter code and bam done. It's also always come through to my e-mail address just fine. Unless you're using a very obscure e-mail provider or have previously marked things from PWE as spam then it should get through to you. Once again, it's you that is the weak link not Cryptic.

    The people who get TRIBBLE are targets of opportunity, they're not being TRIBBLE for valuable items, they're not being targeted specifically, they just have poorly protected accounts/computers. Should the PWE site be secure? Yes, but you shouldn't have any need to use it anyway.

    Also OP, you're smart enough to notice it was an unsecured site you were changing your password on and did it anyway? Bad bad computer wizz.

    While I agree with you... in theory... that the vast majority of account hacks are a PEBCAK issue, that in no way, shape, or form excuses Cryptic in this. There is ZERO excuse for ever having an unsecured login. The blind devotion of some people....
  • bpharmabpharma Member Posts: 2,022
    edited May 2013
    I'm not devoted to Cryptic but I do think there are a lot of people that do not take the proper security precautions online. Yes PWE shouldn't have an unsecured change password site as the back up but then again they have a secure one that works and is the first port of call in most cases.

    Also the OP having seen it was unsecured then went ahead and used it knowing full well the risk involved. He could have e-mailed support, phoned them or maybe even written a letter (they do take snail mail right?) to resolve this issue but instead chose something he knew wasn't a smart thing to do.

    Artisan in the example you provided about safety deposit boxes then PWE/Cryptic are only responsible for keeping the box and within reason contents safe but not restricting access to it.

    It is through repetition that we learn our weakness.
    A master with a stone is better than a novice with a sword.

    Has damage got out of control?
    This is the last thing I will post.
  • jonsillsjonsills Member Posts: 10,473 Arc User
    edited May 2013
    Of course you use different passwords for each account. Back in the day, when the Internet was a baby and the Web not even a dream, we called it "practicing safe hex".

    Lord knows there have been enough popular articles, news stories, basic-computer-literacy courses, etc, that have been trying to hammer that lesson home over the past 20 years or so; by this point, everyone with a computer should be well aware that using a single password for everything is about as secure as fastening all your windows shut, but leaving your doors unlocked.

    Sorry, but if you get multiple accounts TRIBBLE because you used the same p/w over and over, my sympathies, while not nonexistent, are limited.
    Lorna-Wing-sig.png
  • sneyepersneyeper Member Posts: 217 Arc User
    edited May 2013
    bpharma wrote: »
    Also the OP having seen it was unsecured then went ahead and used it knowing full well the risk involved. He could have e-mailed support, phoned them or maybe even written a letter (they do take snail mail right?) to resolve this issue but instead chose something he knew wasn't a smart thing to do.

    Yup - that is the point. The only working option for me to change my password is to login through an unsecure page. Given that it is both prudent and recommended in light of the current apparent account takeovers, I have no choice.

    Email, phone, or snail mail ...... the problem isn't me. I am using a PWE/Cryptic SUPPORTED AND SUPPLIED method to change my password - the supported and supplied method is insecure. Period.
  • sneyepersneyeper Member Posts: 217 Arc User
    edited May 2013
    jonsills wrote: »
    Sorry, but if you get multiple accounts TRIBBLE because you used the same p/w over and over, my sympathies, while not nonexistent, are limited.

    Of course it is an incredibly bad practice to use the same password. It doesn't negate PWE/Cryptic's responsibility to protect account/user information entered into their website. And yes - it is a responsibility because real life money paid to them for use of services/items by an account holder might be stolen by a poorly secured login page. Given that they have other pages that are secured, it is inexcusable to have one that isn't.
Sign In or Register to comment.